EC2 Network ACL Ineffective Denied Traffic
- Query id: 2623d682-dccb-44cd-99d0-54d9fd62f8f2
- Query name: EC2 Network ACL Ineffective Denied Traffic
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Ineffective deny rules. A deny rule should be applied to all IP addresses.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
MyNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
Tags:
- Key: Name
Value: NACLforSSHTraffic
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: deny
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
To: 22
OutboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: -1
Egress: true
RuleAction: deny
CidrBlock: 0.0.0.0/0
Positive test num. 2 - json file
{
"Resources": {
"MyNACL": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": "vpc-1122334455aabbccd",
"Tags": [
{
"Key": "Name",
"Value": "NACLforSSHTraffic"
}
]
}
},
"InboundRule": {
"Properties": {
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "deny",
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"From": 22,
"To": 22
},
"NetworkAclId": {
"Ref": "MyNACL"
}
},
"Type": "AWS::EC2::NetworkAclEntry"
},
"OutboundRule": {
"Properties": {
"RuleAction": "deny",
"CidrBlock": "0.0.0.0/0",
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": -1,
"Egress": true
},
"Type": "AWS::EC2::NetworkAclEntry"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MyNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
Tags:
- Key: Name
Value: NACLforSSHTraffic
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
To: 22
OutboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: -1
Egress: true
RuleAction: allow
CidrBlock: 0.0.0.0/0
Negative test num. 2 - json file
{
"Resources": {
"MyNACL": {
"Properties": {
"VpcId": "vpc-1122334455aabbccd",
"Tags": [
{
"Key": "Name",
"Value": "NACLforSSHTraffic"
}
]
},
"Type": "AWS::EC2::NetworkAcl"
},
"InboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"RuleAction": "allow",
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"From": 22,
"To": 22
},
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": 6
}
},
"OutboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": -1,
"Egress": true,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0"
}
}
}
}